Configuring 802.1x Wired Security with WK12 & Dell Switch

CONFIGURING 802.1X WIRED SECURITY WITH WK12 & DELL SWITCH

 

This How to Article configures a Windows 2012 R2 NPS server as authentication from a Dell N2048 switch.

On Windows computers, if a user logs in to the domain with valid credentials whilst connected to the LAN it will enable internet / network connection, if the credentials are invalid it won’t connect to the network.

On computers running OS X you will have to put in a valid domain username and password for it to connect to the network.

 

Step-by-step guide

         1. On the Dell Switch for Global Configuration:

 

authentication enable
dot1x system-auth-control
dot1x system-auth-control monitor
aaa authentication dot1x default radius
aaa authorization network default radius
radius-server host auth 192.168.0.X
primary
name “server_name
usage 802.1x
key “your_radius_secret
exit
radius-server host acct 192.168.0.X
key “your_radius_secret
name “server_name
exit

 

NB> 192.168.0.X should be changed to the NPS server which has your 802.1x policy on it, server_name should be changed to the FQDN of the NPS server and your_radius_secret should be the RADIUS secret you configured on your NPS server.

 

        2. Configure the uplink port to have no forced authentication

 

interface Gi1/0/48
switchport access vlan 10
dot1x port-control force-authorized
exit

 

This line: dot1x port-control force-authorized is what forces the interface to be automatically authenticated.

NB> The uplink will need to not be forced to authenticate or your switch won’t be network accessible!

 

       3. Configure authenticating ports.

 

interface Gi1/0/47
switchport access vlan 10
dot1x port-control mac-based
dot1x reauthentication
dot1x mac-auth-bypass
authentication order dot1x mab
exit

 

       4. Configure the Radius client on the NPS server

Open NPS on the Server, right click on RADIUS Clients and Servers and Select New and fill in the information using your switch IP address as the Address (IP or DNS), and your_radius_secret which you stated earlier in the switch configuration.

 

IT Solutions Sydney, New Radius Client

 

      5. Configure the NPS Network Policy

Again in NPS, Right click on Network Policies and Select New. These are the things you have to specify:

Type of network Access server: Unspecified.

Access Permission: Grant Access. Grant accessif the connection request matches the policy.

Conditions: Add your chosen Domain user Group which will be allowed to authenticate.

Constraints: Only authentication Methods need to be changed – see image 2:

 IT Solutions Sydney, New Network Policy

Settings: Radius Attributes > Standard. See Image 3:

NB> Tunnel-Pvt_Group-ID is the vlan ID on your switch, in this case VLAN 10.

IT Solutions Sydney, New Network Policy 2

 

802.1X should now be working properly. 

One strange thing I noticed, if you login as a valid user and then logout and log back in as a non valid user it keeps the connection working. It reauthenticates periodically and at that point 802.1X will disconnect the client.

 

Add static MAC addresses to Interfaces of devices that can’t authenticate

Telnet to the switch and the enter configuration and run the following commands – in this case MAC address 001a.8c75.3ca8 on VLAN 10 is allowed through interface gi1/0/20 only.

conf

mac address-table static 001a.8c75.3ca8 vlan 10 int gi1/0/20  

 

Copyright EXXA ©